 All right, thank you very much. Coming up next, we have assessing election infrastructure with Jason Hill, Genevieve Marquardt, please correct me if I'm pronouncing that wrong, and Derek Thornton. And I'm gonna read their bios real quick while they get up here. So Jason Hill is the chief of the National Cybersecurity Assessment and Technical Services and CATS, branch of the Cybersecurity Infrastructure Agency CISA. In this capacity, Jason has primary responsibility to deliver quality security testing and analysis to customers that include federal, government, state, local, tribal, and territorial governments, as well as private sector, critical infrastructure stakeholders. Mr. Hill has worked with several tech companies creating and teaching red team coursework and conducting penetration testing in the commercial industry and DOD. Jason also spent 22 years as US Army National Guardsman for the Commonwealth of Virginia. As Master Sergeant of the 91st Cyber Brigade, he led the cyber opposition forces which provide red team and pen testing capabilities. He's achieved certification for the Offensive Security Certified Professional and the Certified Ethical Hacker Training. Next is Genevieve Marquardt, serves as a member of the National Cybersecurity Assessments and Technical Service and CATS cyber hygiene team, which is responsible for continuously assessing the health of external stakeholders endpoints reachable via the internet and maintaining an updated enterprise view of the cybersecurity posture of their systems to drive proactive mitigation of vulnerabilities and reduce risk. Genevieve provides technical support pertaining to public IP scans and testing of DACA of public facing networks for stakeholders. And finally, Derek Thornton, Federal Lead, National Cyber Security Assessment and Technical Services and CATS team in June, 2017. As information security specialist, sorry, Derek serves as a Federal Lead leading NCATS RVA team conducting two week penetration testing as 11 year veteran of the US Air Force. Derek was stationed at Robin's Air Force Base, Georgia and at White Sands Missile Range, New Mexico, while also serving two tours in the Middle East. The four years of military service at the White Sands Missile Range was an assignment to the National Reconnaissance Office, which led to 21 years career at the NRO. Derek has a Bachelor of Science in Technical Management from DeVry University. Thank you. Thank you. Thank you. Thank you. Thank you. Hey, good afternoon, everybody. If I would have known they were gonna read all those out, I would have sent way shorter bios. So, thanks for coming. My name is Jason Hill, as she said. I'm the Chief of the NCATS team for CISA, a formerly DHS. We conduct cybersecurity assessments, what we call left of boom, before the adversary gets in. We try to find all of the vulnerabilities we can in any of the customers that we go against. I wanna give you a little bit of a background about the services that we provide, and I'm gonna start off by telling you they're free. And we give them to the federal government, state, local, tribal, territorial, and critical infrastructure and private sector groups. So basically, if you're in the United States or you're a US owned company, we can offer our services to you. If you go to the US certs website, you can find us there. If you email NCATS underscore info, you can ask, I'm sorry, NCATS underscore info at hq.dhs.gov, you can request services there or our service catalog for what we offer. So we're gonna talk a little bit about elections and what we're doing for elections. Right now, elections is one of our top priorities, as I'm sure everyone who's talked from CISA has told you already. And we're here to help secure the nation's election infrastructure. So I'm gonna talk a little bit about the services that we have. I'm gonna pass it over to my teammates here and let them kind of talk about some of the numbers we're doing. And then we'll entertain any questions that you guys have about what it is that we actually do. So we actually offer nine different services. I'm gonna briefly talk about them. The first one that we offer that Genevieve kind of participates in is called our SIHI program, our cyber hygiene. It is an external scan of a customer's perimeter. So they give us a list of IPs. We scan them looking for vulnerabilities and assets that are online. I'll let her talk a little bit about how we do that with the elections and the type of customers that we have when I'm finished talking about all the services. So another service that we offer is a phishing campaign assessment. It's a six week engagement where we send six different emails to a customer ranging from the Nigerian print scam to a targeted spear phishing campaign where I usually click on all of them when they do it to me. So it's pretty effective. Another service that we have is our RVA risk and vulnerability assessment. It's our two week penetration test. We have a remote penetration test where all we do is remote assessment work to include web app scanning, external penetration testing and phishing campaign assessment where we work with the vendor to see which attachments, sorry, got stuck there. Attachments will make it through to the end point user and will actually activate. We kind of steal that data and give it to our red team folks and let them know which customers are affected by which attachments or which malware that we send to them. And then finally we have something called a CPE or a critical product evaluation where we take in equipment. We are partnered with some of the national lab folks out in Idaho and Pacific Northwest national labs where we will send equipment out there and let some really smart people tear it down to the software, firmware and sometimes the hardware level to look for vulnerabilities. I'm gonna give a little background on your cyber hygiene and some of the numbers that you're doing. Yeah, so as Jason mentioned, our cyber hygiene program is pretty much, we're doing everything externally. We're just kind of sitting there testing to see if your windows are open, we're not going inside kind of a deal. So for our cyber hygiene vulnerability scanning, that service, our cyber hygiene vulnerability scanning service is offered to all customers as well as our phishing campaign assessments and our penetration testing assessments. Those are all encompassed within our cyber hygiene program. So for the vulnerability scanning, essentially what we do is we use NMAP to do network mapping and then any hosts that we find will run NASA scans against. We'll provide those to you on a weekly basis, the reports, but the scanning is done continuously so and it's all automated. For the phishing campaign assessments, it is a six week campaign. We do varying levels and that's to test your user behavior. That's really where the focus is. What kind of indicators are you susceptible to and how you can kind of bolster your security awareness programs kind of against the findings that we get out of that service. The remote penetration testing, like Jason said, we do web application scanning. We do open source intelligence. We do NASA scans as well and then the phishing there is testing what payloads are available. So with that program, we kind of say, yeah, usually at least one user is gonna click. Instead of testing user behavior, which we do in our phishing campaign assessments, for the remote penetration testing, we're instead focusing on what payloads are actually able to work. For cyber hygiene, we currently have about 1300 customers total and of those 200 or so are elections but we are seeing many more starting to sign up especially recently with the 2020 elections coming up and such. There have been counties that have actually created directives for their board of elections to start signing up for our cyber hygiene vulnerability scanning services as well as some of our other services. Phishing campaign assessments, we've done five this year and there's still three more in progress and then for remote penetration testing, we've completed 25 and we've got 20 in progress currently for those. So Genevieve kind of mentioned we've got a couple of states that have reached out to us and asked for our help. A couple of, one of the states has actually directed its 80 some odd counties to come get our services. The issue with that is is that we have limited resources to do this. We've got a team of about 64 federal employees. We also employ a couple of contract companies that help us force multiply but currently we can't do that entire state's 80 some odd counties with all of the services that we do. So what we've done is we've offered to those counties and to those states that are asking for our services. We're offering them the cyber hygiene program. Right now we have a roughly 1,300 customers in our cyber hygiene program and we can scale that up to about 6,000. So roughly there are 3,007 counties in the United States. So if all of them wanted to sign up, they could. One thing that we didn't mention is that all of our services are voluntary so we can't make anyone sign up for this with the exception of the federal government. They have to sign up for cyber hygiene. And so getting kind of back to the states. So what we're looking to do is we have another group within SZA called methodology. It's a branch that is designed to bring in entities from the outside. So for instance, if a state's National Guard unit is a cyber unit, they can come to our facility and kind of learn our methodology and then go back to their states with that methodology so that the states can reach out to their own folks to help secure their election infrastructure. So what I wanna do next is kind of turn it over to Derek Thornton, he's a Fed lead with our RVA program, our risk and vulnerability assessment program, kind of let him talk about that program and the numbers that we're doing and then we'll talk about what we're actually seeing out there in regards to elections. Thank you. So I am part of the risk and vulnerability assessment program. And we do assessments on different entities, not just elections, but we do infrastructure, we do private companies, I'm sorry, we do private companies, we also do infrastructure. We do, I'm forgetting this here. Anyway, we have, I'm kind of thinking off the top here. So it's a two week assessment, what we do. First week is external, we do that from our labs. And what we do is fire off everything we can external. We try to go for your web applications, we try to go for your open services, open ports that we may see. And we also launch a phishing campaign. So we'll do a pen test that includes phishing. It's not to the degree of the six week program that they have, ours is two weeks, so we're pretty loud. The reason why that is is with two weeks we cannot be as quiet as say a red team. So we are not a red team. Red team is a different part of our group. But so we do two weeks, it's external. We do the external pen test. We do also internal, that's onsite at the customer location. We'll get in there and try to see if we can plug into the wall, if for instance a janitor could a janitor plug into the wall, see how far to get, he can get. We also test if a user with regular admin credits, with regular credentials, how far could that person get? Could a regular user get in there and do damage to your system? We try to go in there and do that too. We also try to see if we can pull data out and see if it can be passed outside of their network. The whole idea is to bring up an idea of where do you stand as far as risk management is. Do you have any risk? Can you manage the risk that you have? Can you mitigate the risk that you have? And that's what we're trying to do with the RVA portion of it. What we wanna do is just, we wanna touch base and hit everything that we can externally, internally. And we let the different organizations within CISA handle the other groups. So all of us work together. Saha is part of this, everything. And everything that we do kinda gets combined and they can have an overall status of how they look from a network point or from internal point. Oh, okay, sorry about that. As far as the number of RVAs we've done, we have completed 12 and we have two more to go. Those are upcoming and then fiscal year course, all of that resets and we do more. But like he says, we do have limited resources. It's hard for us to get as many as we would like, but that is changing. One of the other things that we do is it's that critical product evaluation. So Derek mentioned we did 12 election entities already. That's where we go out to these localities, the states, the counties, and we assess their election infrastructure. One of the biggest issues that we're finding is that a lot of these places, they don't have their election infrastructure turned on and they turn it on the night of the election. So they will put their equipment out, they will gather the votes, they will tabulate them, and then they will send them to wherever they need to go and that entire infrastructure set is not turned on for the rest of the year. So in that way, it's secure until it's actually turned on. And then we are not sure yet how they're securing that or updating that infrastructure. And it's pretty different between the customers that we see. We kind of talked about the CP or critical product evaluation. We've done two of those already. One of them was with a company called Unison and another company called ESNS. So they brought their equipment out to our labs in Idaho and we tore it apart. We looked at the vulnerabilities that we could find within those pieces of equipment and then worked with those vendors to help them come up with a mitigation plan. These two vendors have publicly acknowledged that they've done this and we have one more that's in the works that's being done right now, having their equipment broken down. I think that's it. Is there anything else you want to talk about? So when we talk about the numbers that we're doing, it doesn't seem like it's a lot. Like I said, we have 64 folks that are doing this work. And with our RVAs, we can only schedule out 90 of those per year based on the resources that we have. Out of that, 90 or 30 of those are going to go to mandated federal assessments that we do called high value assets. And then that leaves 60 discretionary assessments that we can conduct yearly. And out of that 60, it's based on voluntary election folks that come seek our services. So that's all I've got for our presentation and what we're doing as far as securing the election infrastructure of the country. So if there's any questions, we'd be happy to answer them. Yes. I can't really talk about who has reached out to us. NCATS underscore info, N-C-A-T-S, A-T-S underscore info, at hq.dhs.gov. Yes, sir, in the cowboy hat. We do, again, we don't have very many people. We don't have a traveling road show that we go out and meet with these folks, but we do go to various different places like, there's a CIO council that we visit and talk. We go to InfraGuard. There's the election ISAC that we go to and kind of talk about our services. There's the MSISAC that's out there that we kind of share our services with. So the word gets out to the states. And what we're finding, as soon as one of them hears about it, the rest of them hear about it. And they're usually knocking on our door about it. Yes, sir, at the end of the aisle there. Yes, we're always hiring. NCATs underscore info. Yeah, I don't know if everyone heard that, but what the gentleman said was that he's assessed a couple of places like that and it's hard to get them to mitigate it. I think when we're talking at county level, there's not a lot of dollars going around for cybersecurity and it's really tough to show them what's wrong and then them not be able to fix it based on the resources that they have. And it's not just election infrastructure that we find that way at the county level. We find that in many different sectors. So, yeah. I'm not sure how to get them to fix that. It's gonna have to. Yeah, not inside of NCATs and I'm not sure if that's something that CIS is gonna wanna do in the future. I mean, it's kind of a hard thing to do. Yeah, sorry. On the aisle there. Yes, you? With the candidates, you're asking? No, so we haven't had any of the candidates reach out to us yet. If they did, I'm not sure how we would handle that. We'd probably treat them like any other customer. They don't have to sign up for the services and then we would provide them. I know that we, Nick Arroyo back there in the green shirt, wave your hand, Nick. He's gonna be handling our RVA services for the RNC and the DNC. Currently, I believe there's quite a number of candidates so they're not on the radar right now. So, yes, sir? Yes, you? So we haven't yet. One of the things, one of the reasons why is that we have a way to very easily collect.gov domains and some states use .gov domains as well so those we can more easily collect but in order to get the elections based ones, we're gonna need to reach out to get the specific domains to be scanned. We are looking at doing that in the near future but we don't really have an ETA on that. Essentially what we'd probably do is create a private GitHub repo that we'd be able to pull from like where we put the domains to scan because we don't want people knowing who our customers aren't necessarily because then that could make them a target, I think. Yeah, so our services are voluntary so one of the things that we give back to the community for them to volunteer for our services and anonymity so we give them the privacy. We don't wanna put out, right now we don't wanna put out who's coming to us along with whether or not they have issues. Anyone else? Yes, sir? Yeah, I'm glad you asked. So, phishing is the number one issue that we run into, phishing susceptibility and phishing weakness is what we call it so the people first and then the infrastructure security, infrastructure four to handle phishing, payloads and links and then patching would be the third biggest issue that we're finding. Again, these are small counties in a lot of places and they don't really have the IT staff to handle some of this work and sometimes just like anywhere it's not a top priority. Depends on where, yes ma'am. I'm sorry, I can't hear you. Yes, that's correct. Yep, Derek, did you wanna add something? Yeah, another thing that we've noticed as far as weaknesses, admin passwords. Admin passwords, too many credentials as a baseline. We've seen a lot of admin passwords that are just elevated for no reason. I'm sorry, user accounts with elevated passwords. Anyone else? Yes, sir? Yes. There's a handful. We find that even in some of the small places the folks that are really passionate about their job they may not be getting paid very well but they're passionate about what they're doing so they're taking the best steps they can so there are some good places out there. Yes, it's not all dire. That's not the picture that I wanna paint because it's not that bad. There's really no difference between an election system and a normal network system that we test. We find the exact same vulnerabilities in all of the networks that we test across our customer set. There's so standardized that our findings have become standardized and we have a repository of findings with canned language and every time we find our vulnerability we're usually pulling it from that database. Yes, ma'am? Not our group, I can give you one example. Recently we were at an elections location and we found evidence of ransomware. When we find that, thank you, when we find that type of stuff or evidence of a previous breach we will contact the customer to let them know and then SZA also has a threat hunting group who will come in and we call them ride of boom so after something happens they can go assist the customer in cleaning that up or finding out what happened and walking it back to what the issue was but NCATS doesn't do that. Like I said, we're left of boom, we're left of something happening. Yes, ma'am. Anyone else? Okay, well thank you very much.